> The installer, when run, will fetch more code for users to blindly execute > (as most of that code will be provided in compiled form). How is blindly > running an installer worse than running other code from the same provider?
Simply put the shasum of your installer on the website and ask the user to verify. That is what many projets do, and it's a three lines of installation instead of one. >> PS. There are ways of detecthing when something is piped straight to an >> interpreter and thus even if someone did curl and read the output and >> then curled into a shell they could still get infected as serving >> different pages depending on the circumstances isn't all that >> difficult. > This assumes https://nixos.org is already malicious - and then you shouldn't > run *anything* that comes from there. > The problem is not *ONLY* nixos.org. Depending of your country and your environment, TLS / HTTPS alone is not anymore a protocol that you can trust blindly - https://blog.filippo.io/untrusting-an-intermediate-ca-on-os-x/ - https://yro.slashdot.org/story/15/12/08/1451239/in-kazakhstan-the-internet-backdoors-you - https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning But without even considering that, "curl-pipe-bash" will cause your sysadmin to blow a fuse or heartbreak in most companies / environments. And for very good reasons. Transforming this into a three lines installation script with a simple "sha256sum -c " verification would not make users run away and would make the project look more professional. Adev Le 17/06/2016 14:07, Tomasz Kontusz a écrit : > > Dnia 17 czerwca 2016 13:12:57 CEST, Yui Hirasawa <[email protected]> napisał(a): >> I recently noticed that you recommend very malicious installation >> methods on your download page for nix[1] >> >> Retrieving code straight from the internet and blindly executing is >> never a good thing and you don't give any sort of recommendation for >> the >> user to inspect the script before running it. This completely defeats >> the point of having reproducible builds when your system can be >> completely infected when you install the package manager. This also >> means that anything installed through the package manager is >> potentially >> malicious as well. > The installer, when run, will fetch more code for users to blindly execute > (as most of that code will be provided in compiled form). How is blindly > running an installer worse than running other code from the same provider? > >>> $ curl https://nixos.org/nix/install | sh >> And this isn't made any better by the fact that you want users to run >> the script blindly as the superuser. >> >>> This script requires that you have sudo access to root, > The installer needs elevated privileges to do it's job. > >> I ask you to PLEASE remove this installation method from the >> recommendations on the page because it makes it look like you don't >> care >> about computer secuirty one bit. > Now, that's an interesting point. Are there many people who never installed > nix because the installer is the recommended installation method? > >> PS. There are ways of detecthing when something is piped straight to an >> interpreter and thus even if someone did curl and read the output and >> then curled into a shell they could still get infected as serving >> different pages depending on the circumstances isn't all that >> difficult. > This assumes https://nixos.org is already malicious - and then you shouldn't > run *anything* that comes from there. > >> [1]: https://nixos.org/nix/download.html >> _______________________________________________ >> nix-dev mailing list >> [email protected] >> http://lists.science.uu.nl/mailman/listinfo/nix-dev
signature.asc
Description: OpenPGP digital signature
_______________________________________________ nix-dev mailing list [email protected] http://lists.science.uu.nl/mailman/listinfo/nix-dev
